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Authors^ abstract 



The paper studies the incorporation of a fair nondeterministic choice operator into a 
generalization of Dijkstra's calculus of guarded commands. The new operator is not 
monotonic for the orderings that are generally used for proving the existence of least 
fixpoints for recursive definitions. To prove the existence of a fixpoint it is necessary 
to consider several orderings at once, and to restrict the class of recursive definitions. 
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Perspective 



Over a decade ago, Dijkstra developed a weakest-precondition calculus for reasoning 
about programs written in a simple language of guarded conmiands. The basis of the 
calculus is the idea that the meaning of a statement iS is a predicate transformer 
wp{S, .), where wp{S,P) asserts what must be true initially if an execution of S has 
to terminate with P true. 

Dijkstra's language was distinguished from conventional toy languages by the funda- 
mental position it accorded to nondeterministic operations. It may also have been the 
first language proposed since BASIC that did not include recursive procedures, which 
were omitted because the weakest-precondition calculus could not handle recursive 
programs. 

In SRC Research Report 16, Greg Nelson extended Dijkstra's calculus to general 
recursive programs. In the spirit of denotational semantics, the meaning of a recursive 
program is defined by a least fixpoint. A key element of his approach was extending 
the language to allow partial conmiands — ones that could fail and cause backtracking. 
This allowed him to give meanings to individual components of a statement, ajid to 
derive the meaning of a complete statement from the meanings of its components. 
For example, the Q of Dijkstra's language becomes an operator for composing partial 
commands, where A\}B means execute either A or B, 

The present report generalizes the prior results to a further extension of Dijkstra's 
language, obtained by adding the "dovetail" operator V. Intuitively, AVB means 
execute both A and 5, independently, and take the result produced by either of them 
that terminates. Thus, the results that can be produced by executing A U B and 
A V B are the same. However, A U B may fail to terminate — not producing any 
result — if either A or B fails to terminate, while AVB must terminate if either A 
or B does. 

The dovetail operator introduces fairness into the language. The command A V B 
can be implemented by running A and B in parallel, with a fair scheduler, and tak- 
ing the result of whichever finishes first. Fairness traditionally means trouble. The 
dovetail operator, together with recursion, provides unbounded nondeterminism — for 
example, the ability to write a terminating, nondeterministic statement that caji set 
X to any integer. Dijkstra's original calculus is unsound for any language with un- 
bounded nondeterminism. Fairness and unbounded nondeterminism also wreak havoc 
with denotational methods, since they lead to discontinuity. 

This report uses least fixpoints to define the meaning of conmiands in the extended 
language, which includes recursion ajid the dovetail operator. The price of handling 
fairness is the possibility that a recursive equation purporting to define a command 
does not have a solution. It appears that computer scientists, like mathematicians, 
must face the existence of equations that have no solutions. 
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1. Introduction 

The fixpoint method of denotational semantics is so successful that it is a 
surprise to find a progranmiing language construct for which it doesn't seem 
to work. But this is the case for the dovetail operator, which, although 
it is not popular among progranmaing language designers, is of theoretical, 
and maybe also practical, importance. The operational definition of dovetail 
(which we shall write V) is as follows: 

AS7 B 

= Execute the conunands A and B in parallel, on separate copies of the 
state, interleaving the two computations non-deterministically but fairly, 
accepting as an outcome any proper (i.e., non-looping) outcome of either 
A or B. 

By 'fairly" it is meant that neither computation is starved: if the compu- 
tation is infinite, then each of the A and B parts are either infinite, or else 
run to completion without producing an outcome, as can happen in the case 
of partial commands. Partial commands axe those that do not satisfy the 
Law of the Excluded Miracle: viewed els relations, they are partial; viewed 
operationally, they may "fail" — that is, backtrack. 

As a hint at the power of the dovetail operator, we show how it imme- 
diately leads to xmbounded nondeterminism. Operationally, a recursive call 
can be treated by replacing the call with the righthand side of the recursive 
definition whenever necessary. This makes it obvious that the recursion 

X = (n::=0 V (X ; n:=n + l)) 

hcis the solution X = "set n to any natural number". This is in contrast to 
the recursion 

Y = U {Y ]n — n + l)) 

which hcLS the solution Y ~ "set n to any natural number, or loop". (The 
semicolon operator represents sequential composition and the operator Q rep- 
resents nondeterministic choice. The recursion with Q can loop, since a re- 
cursive call is available at every choice. The recursion with V cannot loop, 
since at each level of recursion — in particular, at the outermost level — the 
n := 0 branch cannot be delayed indefinitely.) 

Unbounded nondeterminism can be handled in Dijkstra's calculus — for 
example, see Boom's paper [0], But the dovetail operator is more of a chal- 
lenge. 
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The dovetail operator is the imperative counterpart of the ambiguity 
operator introduced by McCarthy in 1963: "We define a basic ambiguity 
operator amb(x,t/) whose possible values are x or y when both are defined, 
otherwise, whichever is defined" [2]. The ambiguity operator is not mono- 
tonic in the orderings of either the Smyth or the Plotkin powerdomains. 
Therefore its fixpoint theory, presented by Broy in 1986, is far from straight- 
forward [1], The dovetail operation also is not monotonic, and to treat it 
by the fixpoint method requires some of Broy's techniques. But the pres- 
ence of partial commands introduces additional difficulties. In fact, in the 
ZLxiomatic definitions that we propose, not all recursions involving dovetail 
have solutions. 

2. Preliminaries 

Our framework is the generalization of Dijkstra's calculus described by Nel- 
son in SRC-16 [3], which will be briefly described in this section. 

We use a left-associative infix dot to denote function application, to- 
gether with Curry's convention for reducing n-ary functions to unary func- 
tions. That is, we write /.x instead of /(x), and g.x.y instead of ff(x,y), and 
g.x instead of (Ay. g[x^ y)). 

A command A is defined to be a pair of predicate transformers, writ- 
ten wp.A and wlp.A, satisfying the pairing condition^ which is that for any 
predicate i2, 

wp.A.iZ = wp.A.TRUE A wlp.A.iZ , 

and the conjunctivity condition^ which is that wlp.A distributes over any 
'conjunction. It follows that the predicate transformer wp.A distributes over 
any non-empty conjunction. 

For any command A, we define two predicates, read guard of A and halt 
of A, as follows: 

grd.A = Wp.A.FALSE , 
hlt.A = wp.A.TRUE. 

The predicate grd.yl characterizes those states from which failure is im- 
possible; the predicate hlt.A characterizes those states from which termina- 
tion is guaranteed. If grd.A = true, then A is a total command. 

For commands A and B, we define 



Ad 



B 



wp.A.jR =4> wp.jB.i? for any R 
wlp.fi. i2 =^ wlp.A.iZ for any jR 
A Ewp B and A Qw\p B 



A Cwip B : 
ACB : 
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The relation A Q B is read A approximates B; it is a complete partial 
order on the set of all commands. Operationally, A approximates B if A 
can be obtained by substituting looping outcomes for some of jB's outcomes. 
For example, executing a conunand for a limited amount of time produces an 
approximation to the command, provided that computations that exceed the 
time limit are classified as loops. Thus Loop approximates every command, 
and a command with no looping outcomes approximates no command except 
itself. 

Notice that we have inverted the definition of Ewlp given in SRC- 16; this 
change makes formulas more readable. 

We will use square brackets to denote the following drastic map on 
predicates: [true] — true, and [P] — false for all other P. 

We will write 

(operation dummies : range : term) 

to denote the combination via the given operation of the values assumed by 
the given term as the dunmaies vary over the given range. The operation 
must be commutative, associative, and (if the range is empty) possess an 
identity. If the range is obvious from the context, it will be omitted. For 
example, the greatest lower bound of the set S of predicates is denoted by 
(A P : P G 5 : P), or by (A P :: P) if 5 is obvious from the context. 

In order to express formulas involving the two operators wp and wlp 
compactly, the parenthesis convention will be used: a formula containing 
parenthesized expressions represents two formulas, in one of which the paren- 
thesized expressions are ignored, in the other of which each parenthesized 
expression is either inserted, or substituted for the item to its left, whichever 
is suggested by the context. For example, consider the following two formu- 
las, proved in SRC-16, in which A ranges over any C-chain and U denotes 
join (that is, least upper bound) with respect to C: 

wlp.(u A :: A),R = {A A :: wlp.vl.P) 
wp.(u A :: A).R = [v A :: wp.A.P) 

Using the parenthesis convention, they are equivalent to the single formula 
w(l)p.(U A :: A).R = (v(A) A :: w(l)p.AP) . 
Here are the definitions of the basic commands and operators: 

w{l)p. FaiLR = true 
w(l)p.5fap.P ~ R 
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w(l)p. Loop.R = FALSE (true) 

MDp.Havoc.R = [R] 

w(l)p,(>l D B).R = MDp.A.R A MDp.B.R 

w(l)p.(^ ; B).R = w(I)p.A.(w(l)p.5.i2) 

wa)p.(P ^ A).R = - P V w(I)p.A.P 

w(I)p.[x I A].P= (Vx: w(l)p.A,R) 

w(l)p.(A a = w(l)p.^.i2 A (grd.A V w(l)p.£.i2) 

Here we write [R] for R = true. 

All of these operations are monotonic with respect to the approxima- 
tion order Except for Havoc and 0, they are likely to be familiar. The 
command Havoc relates each initial state to every outcome, including the 
looping outcome. The command B means "execute A unless it fails, in 
which case execute B'\ Its precondition equation can be derived from the 
formula 

A 0 5 = A D (- grd(^) ^ B) 

3. Definition and elementary properties of dovetail 

The precondition equations for V are somewhat subtle: 

wlp.(A V B).R = wlp.A.i? A wlp.B.iZ 

h\t.{A V B) = 

(hlt.A V hlt.5) A 
(grd.A V hlt.B) A 
(grd.B V hlt.A) 

That is, as far as wlp is concerned, V is the same els Q. It differs by having 
a more liberal wp equation: to ensure that AV B halts, it suffices to forbid 
A and B from both looping and to forbid either from looping in a state 
where the other fails. The value of wp for postconditions other than true 
is determined by the pairing condition. To verify that A V 5 is a command 
we must show that its wlp-transformer is conjunctive; but this is immediate. 
The hit equation for dovetail has an alternative form: 

hlt.(A V B) = 

(hlt.A A hlt.5) V 
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(grd.A A hh.A) V 
(grd.B A hlt.5) 

The alternative form is sometimes useful, although we will not use it in 
this paper. It can be derived from the first form by distributing A over V 
and simplifying. 

Lemma A. For any A, B, we have grd.(A V = grd.^ V grd.5. 

Proof. This is easy to see when A and B are viewed as relations, since a 
looping outcome of (say) A from some initial state can be excluded from 
A V B only if B hats a proper outcome from that state. Thus, although 
^ V 5 is smaller than the relational union, its domain is equal to the 
domain of the relational union. 

The axiomatic proof begins with the observation that for any com- 
mand j4, 

wlp.A. FALSE {hh.A = -'grd.A) (*) 
whose proof is as follows: in any state where wlp.A.FALSE holds, 
grd.A 

= --Wp.A. FALSE 

= -1 (wp.A.TRUE A wlp.^. false) 
= -^Wp.A.TRUE 

= -hit. A 

Armed with this observation, we prove Lenuna A by deriving the com- 
plement of the right side from the complement of the left side: 

-grd.(A V5) 

= Wp.(>l V jB). FALSE 

= hlt.(A V B) A wlp.(A V B).false 

= (hlt.A V hlt.5) A (hlt.A V grd.5) A (hlt.5 V grd.A) 

A wlp.A.FALSE A wlp.jB. FALSE 

= { (*), twice } 

= (hlt.A V hlt.J5) A (hlt.A V -hlt.5) A (hlt.jB V -hlt.A) 

A wlp.A.FALSE A wlp.B. FALSE 

= { Resolution on conjuncts 1 and 2; 1 and 3 } 

= hlt.A A hlt,J5 A wlp.A.FALSE A wlp,5.FALSE 
= Wp. A. FALSE A wp.fi. FALSE 

~ -igrd.A A -ngrd.5 

= -1 (grd.A V grd.B) | 
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Lemma B, For any A, B, we have (A Q 5) C (A V 5). 

Proof. This is also easy to see when the commands are viewed as relations, 
since AWB can differ from AVE only by having extra looping outcomes 
from states where AS7 B has at least one non-looping outcome, and this is 
precisely the difference that is allowed by the approximation relation. 

The axiomatic proof is as follows. The C^ip part of the proof is trivial, 
since Q and V have the same wlp-equation. Because of the pairing condition 
and the fact that the two sides are wlp-equivalent, the Cwp part of the proof 
can be completed by showing that hit. (A WB)^ \i\i.{A V B), The proof of 
this is: 

hlt.(^ D B) 
= hlt.^ A hlt.B 

(hlt.A V hlt.5) A (grd.A V \i\t.B) A (grd.5 V hlt.A) 
= h\t.{A V B) I 

4. Nonmonotonic ity of dovetail 

The reason that the classical fixpoint method doesn't work for dovetail is 
that dovetail is not monotonic with respect to the approximation relation. 
For example, 

Loop C Havoc 

but 

Loop V Skip g Havoc V Skip 

since Loop V Skip = Skip and Havoc V Skip = Havoc, but Skip g Havoc. 

In fact, under our definitions, there are recursions involving dovetail 
that have no solutions. Consider 

f.X = [6|((Xg6~0) V 6:= 1); (6 = 0 -> loop)! 

If X is defined by this recursion, and recursion is implemented by the usual 
unfolding, then X will be equivalent operationally to Loop. The computation 
tree for X branches at V at each level of recursion. Each 6 := 1 branch leads 
to a 6 = 0 guard, where it fails. The other branch leads to a recursive call. 
Thus the computation will search an infinite tree, failing to find any proper 
outcomes. 

But Loop is not a fixpoint of /. Since Loop 0 6 := 0 is equal to Loop, and 
Loop V 6 := 1 is equal to 6 := 1, direct computation yields f.Loop = Fail, 
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In fact, / has no fixpoint. The commands that / operates on are 
commands on a zero-dimensional state space (that is, a point). There are 
only four such commands: Zoop, Fail^ Skip, and Skip Q Loop. (On a zero- 
dimensional state space, Skip and Havoc coincide.) Computation yields: 

f.Loop = Fail 
f.Fail — Loop 
f,Skip — Loop 
/.{Skip 0 Loop) = Loop 

5. Two fixpoint theorems for dovetail 

If operational semantics is the touchstone by which other semantics are 
judged, then the example above is a serious blow to our semantic definitions, 
one that strongly suggests changing the axiomatic semantics to agree with 
some operational semantics. But there is another approach, which we will 
explore in the remainder of this paper: we take the atxiomatic semantics as 
the touchstone by which other semantics are judged. The axiomatic seman- 
tics are in effect a specification language; perhaps too rich to be handled in 
its entirety by an operational implementation, but well defined nonetheless. 

This is as much a question of technique as of philosophy. If the nine- 
teenth century mathematicians who made sense of infinite series had known 
denotational semantics, they might have added _L to the real numbers R (as 
well as one new open set R U {±} to R's topology) after which they would 
have been able to prove that every series has a unique "least convergence 
point" in the inverse Scott order determined by the topology. For example, 
the least convergence point of 1 + 1 - 1 + 1 ... is J_; the least convergence 
point of 1/2 + 1/4 + 1/8 . . . is 1. But instead, these mathematicians worked 
with the unextended real numbers, in which not all series converge. The 
choice is not too serious, since with either technique, the important thing is 
to find tests that guarantee various kinds of convergence. 

Our approach will be to find restricted classes of recursions that are 
guaranteed to have solutions in our calculus, analogous to restricted classes 
of infinite series that are guaranteed to converge. In SRC-16 it was proved 
by the simple fixpoint method that if V is excluded, then all recursions have 
solutions. In this paper, we prove two results that include dovetail: (l) if 0 is 
excluded, then all recursions have solutions, and (2) if semicolon is restricted 
so that its second argument is always total, then all recursions have solutions. 

Neither of these results seem to be provable by the simple fixpoint 
method. This section outlines an alternative method of proof that works 
for both results. 
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We write A =wip B to mean that wlp.^l = wlp.B. 
Here is the first result: 

Theorem 1. Let / be a map from commands to commands defined by an 
expression of the form /.X = <f , where £ is an expression built from the five 
operations 

D - ; (II V 

as well as the command parameter X and any number of fixed commands 
and predicates. Then / has a least fixpoint in the order <, defined by: 

A<B = {A C^ip B) A {{A =wip B) ^ [AH B)) . 

The approximation order □ is the intersection of Cwip with Ewpi the 
new order < is a sort of lexicographic combination of C^ip with □wp- 

Theorem 1 cannot be proved as a simple application of the Knaster- 
Tarski Theorem, since none of the operators are monotonic with respect to 
<. For example, consider sequential composition: we have 

X := 1 < (x := iQx := 2) 

but with C given by (x = 1 ^ Skip) D (x = 2 — ► Loop) we have 

X 1 ; C ^ (x := iQx := 2) ;C 

since x := 1 ^ x := 1 Q Loop. 

A more complicated argument is required, which we now outline. First, 
we will change the recursion f.X = £ to the similar recursion = f *, 

where <f * is obtained from £ by replacing all occurrences of V by Q. Thereom 
8 of SRC-16 shows that /* has a fixpoint, say X*, Operational intuition 
suggests that the only difference between the two recursions is that V will 
exclude some looping outcomes that are included by 0- Therefore we expect 
/ to have a fixpoint that differs from X* only by having fewer looping out- 
comes. Let S be the set of commands that differ from X* only by having 
fewer looping outcomes. It turns out that V is monotonic with respect to ap- 
proximation when it is restricted to 5. (More generally, it is monotonic when 
restricted to any equivalence class of =wip.) Furthermore, 5 is closed with 
respect to joins. Thus the Knaster-Tarski theorem can be applied, showing 
that S contains a fixpoint of /. This proof will be completed in section 7. 

For example, consider the recursion 



f,X = X\/ Skip. 



(1) 
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The related recursion is 

f\X=Xl]Skip, 

The least fixpoint of /* is Loop Q Skip. The set 5 of commands that differ 
from Loop Q Skip only by having (possibly) fewer looping outcomes is the set 
of commands of the form 

(P Loop) □ Skip 

for all predicates P. On this set / has an approximation-least fixpoint, 
namely Skip, (In fact, Skip is the unique fixpoint on this set.) 

Notice that the fixpoint is not approximation- minimal: for example. 
Havoc is a fixpoint of (1), but Skip does not approximate Havoc. Indeed, 
the set of fixpoints of (1) is the set of commands that, viewed as relations, 
contain Skip and are contained by Havoc, This set is completely flat with 
respect to the approximation relation. 

Minimizing with respect to either < and C has the effect of excluding 
proper outcomes and including looping outcomes; however, < gives prece- 
dence to the former. This is consistent with the construction in the proof, 
which first uses a fixpoint construction to locate the =wip equivalence class 
of the fixpoint (thus determining its set of proper outcomes) and then uses 
a second fixpoint construction to maximize the number of looping outcomes 
within this equivalence class. 

The second result is that if semicolon is restricted so that its second 
argument is total, then all recursions have solutions. To state this precisely, 
we introduce the operation ;; on conmiands defined by 

A;]B = A]{B^Loop). 

Operationally, A;;P loops whenever A ; B would backtrack from B to A. If 
B is total, there is no difference between A ; B and 

If A and 5 are commands, we write A =grd B to mean grd.A = grd.JB, 
and we write A B to mean A =wip B and A =grd B, 

Theorem 2. Let / be a map from commands to commands defined by an 
expression of the form /.X = <f , where S is an expression built from the six 
operations 

D - ;; III V 0 

as well as the command parameter X and any number of fixed commands 
and predicates. Then / has a least fixpoint in the order <, defined by: 

A<B ~ {A Cwip B) A {{A B) ^ {AQ B)) . 
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The proof of the second theorem is very similar to the proof of the first 
theorem. The substitution of /* for / and the application of the Knajster- 
Tarski theorem within the set 5 are the same; the difference is that in the 
definition of the set 5, plays the role previously played by =wip- In 
order to avoid repeating the arguments that are common to both proofs, we 
will present them as a separate theorem that applies to any "acceptable" 
equivalence relation. Then Theorems 1 and 2 are proved by showing that 
=wip and =* are acceptable. This program is carried out in the next two 
sections. 

6. A fixpoint theorem for acceptable relations 

An operation / on commands respects an equivalence relation ^ if for any 
conmiands A and 5, 

B ^ f.A^ f.B . 

An operation with more than one argument respects ^ if it respects ~ in 
each argument. 

An equivalence relation ^ on conunands is acceptable if: 

(Al) D respects ^. 

(A2) A V 5 - A D 5 for all A, B. 

(A3) A ^ B implies A =wip B for all A, B. 

(A4) Join with respect to □ preserves equivalence classes of ^, That is, 
for any command B and non-empty family of commands Ai: 

(Vt :: Ai ^ B) => {U i :: Ai) - B . 



Lemma C. If is icceptable, then V is C-monotonic when the varying ar- 
gument is restricted to any equivalence class of ^. That is, for any commands 
A, jB, and C: 

(A - S) A (AQB) ^ (A V C) C (5 V C) . 

Proof, Since is stronger than =wip? it suffices to show that dovetail is 
C-monotonic when restricted to any equivalence class of =wip- The ^wip 
part of the proof is trivial; in fact A ^ B implies that A \/ C and B \7 C 
are wlp-equivalent. Because of this fact and the pairing condition, the 
part of the proof can be completed by showing that 



(A □ S) =J> (hit. (A V C) =^ hlt.(B V C)) 
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To prove this, assume A Q and compute 

h\t.{A V C) 
= {Definition of V} 

(hlt.A V hlt.C) A (grd.A V hlt.C) A (hlt.A V grd.C) 
=> {hit .A A grd.A =^ gvd.B wajs shown in SRC-16 to be a consequence of 

A C 5 (in the proof of continuity of 0)} 

(hlt.A V hlt.C) A (grd.5 V hlt.C) A (hlt.A V grd.C) 
=> {hit. A =^ hlt.5 is a consequence of A C B} 

(hlt.5 V hlt.C) A (grd.5 V hlt.C) A (hlt.5 V grd.C) 

= {Definition of V} 
hlt.(5 V C) I 

If / is a function from commands to commands defined by an expression 
of the form f,X = <f , then by /* we denote the function defined by = 
<f *, where £* is £ with all occurrences of V replaced by Q. 

Lemma D. If / is defined by an expression of the form f.X ~ <f , and if 
every operator in S respects the acceptable equivalence relation ~, and if 
every operator occuring in £ is C-monotonic except for V, then for any 
commands A and B: 

(Dl) A - 5 ^ f\A - 

(D2) ACB ^ f\A C f.B. 

(D3) [A^ B) A [AQB) => f.AQf^B. 

Proof. The three proofs are all straightforward inductions on the size of £ . In 
the base case, where / is the identity or a constant function, the three claims 
can be verified by inspection. Each of the three induction steps has two cases: 
the case where the outermost operator of S is V, in which /.X = g,X V /i.X, 
for two functions g and h defined by expressions smaller than £ ; and the case 
where the outermost operator of £ is not V, in which f.X = g.{h.X)^ where 
g is an operator other than V and h is defined by an expression smaller than 
£ . Here are the proofs of the two cases for each of the three steps: 

Dl, V case: 

f\A - f.B 
= g\A{]h\A - g.B V h.B 
= { ^ is acceptable (A2) and transitive } 
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g*.A{]h*.A ~ g.B[\h.B 
{ ~ is acceptable (Al) } 
g*.A^g.B A h\A^h.B 
<= { induction } 
A^B 

Dl, other case: 

~ f.B 
= g.{h\A)^g.[h.B) 
<^ { g respects ~ by hypothesis } 

h*.A ~ h.B 
■<= { induction } 

A^B 

D2, V case: 

r.A C f.B 
= g*.AUh*.A C g.B V /i.B 
<^ { Lemma B, transitivity of □ } 

g*.A{}h*.A Q g.B [\ h.B 
•<= { 0 is C-monotonic } 

g\A C g.B A h* .A C h.B 
<= { induction } 

A~ B 

D2, other case: 

f*.A Q f.B 
= g.{h\A) □ g.{h.B) 
■<= { y is C-monotonic by hypothesis } 

h*.A C h.B 

{ induction } 

AQB 

D3, V case: 

f. A C f.B 

= g.A V h.A □ V h.B 

-v= { ~ is acceptable; Lemma C } 

g. A ~ g.B A g.A □ g^.^ 
A /i.A ~ h.B A /i.^l C h.B 

<= { Every operator in £ respects ~, hence 
by structural induction, h and g respect 
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g. A □ g.B A h.ACh.B A B 
{ induction } 

A C 5 A ^ ~ S 

D3, other case 

/.A □ f.B 
= g.{h.A) □ 

^ { g is C-monotonic by hypothesis } 

h, A C h.B 
^ { induction } 

An B ^ B 

This completes the proof of Lemma D. | 

Theorem 3. Let / be a map from commands to commands defined by an 
expression of the form f,X ~ £. Let ^ be an acceptable equivalence relation 
respected by each operation occurring in <f . Suppose that every operation 
occurring in £ is C-monotonic except for V. Then / has a least fixpoint in 
the order <, defined by 

A<B ^ [A Cwip B) A {{A ^B) ^ [AQ B)) . 

Proof. The proof follows the outline sketched in the previous section. By 
Theorem 8 of SRC-16, /* has a C-least fixpoint, say X\ Let S be the set 
of all Y such that X* ^ Y and X* □ Y. First, we show that / carries S 
into S: 

Yes 

= (X* y) A {X* C Y) 
{ Lemma D } 

{f\X* - f,Y) A (/*.X* □ f.Y) 
= { r fixes X* } 

(X* - f.Y) A (X* □ fY) 
~ fY es 

Second, we show that / has a C-least fixpoint on 5, using the Knaster- 
Tarski Theorem. This theorem requires that / be C-monotonic on S and 
that the C-join of any C-chain in 5 lie in 5. By Lemma C, the restriction of / 
to S is □-monotonic. By acceptability (A4), the join of any non-empty chain 
in S lies in S, By definition, S contains a C-minimum element, namely X*, 
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and therefore the empty chain also has a join in S, Therefore the Knaster- 
Tarski Theorem applies, showing that / has a C-least fixpoint in S, which 
we will call X. 

It remains to show that X is <-minimal among all fixpoints of /. Let 
y be a fixpoint of /. To show X < F, we must show that X Cwlp Y and 
that X ^ Y implies X QY, As a stepping stone to these two goals, we first 
prove that X* □ Y: 

^ { By Knaster- Tarski, the least fixpoint precedes every prepoint } 

f\Y □ Y 
~ { y is a fixpoint of / } 

f\Y C f.Y 
<= { Lemma D } 

TRUE 

Next we show that X E^ip Y: 
X Cwip Y 

{ X* - X, hence (A3) X* =wip X } 
X* Ewip Y 
X* TY 
= { Stepping stone } 

TRUE 

Finally we show that X ^Y implies X QY: 
XQY 

<^= { X is the C-least fixpoint of / on 5 } 

Yes 

= (X* - y) A (X* c Y) 

= { Stepping stone } 

X* - r 

^ { X - X* } 

x-y 

This completes the proof of Theorem 3, | 
7. Proofs of Theorems 1 and 2 

In this section we deduce Theorems 1 and 2 from Theorem 3. 
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Lemma E. The equivalence relations =wip 2ire acceptable. 

Proof. We must verify conditions (A1)-(A4). Condition (A3) is immediate, 
since both =wip and =^ are as strong as ^wip- The other conditions will be 
verified for =wip and for =grd' This suffices to prove the lemma, since these 
conditions have the property that if they hold for two relations, then they 
also hold for the intersection of the two; and is the intersection of =wip 
and =grd* 

Condition (Al), that 0 respects =wip and =grd5 follows from the wlp 
and guard equations for Q: 

wlp.(>l 0 B).R = v/lp.A.R A wlp.£,ii! 
grd.(^D5) =grd.A Vgrd,5 

For example, the only occurrence of A on the righthand side of the first 
equation is in wlp. A, thus w\p.{A 0 B),R depends on A only insofar as it 
depends on the =wip equivalence class of A. 

Condition (A2) is that A V J3 be equivalent to A Q 5. For ~wip, this 
follows because Q and V have the same wlp-equation; for =grd) this follows 
from Lenuna A. 

Condition (A4) is a consequence of the formula from SRC-16 for the 
precondition of the join of a chain that was presented in Section 2. Let Ai 
be a non-empty family of commands. If Ai =wip B for all t, then 

wlp.(u i :: Ai).R 
= (a i :: wlp.At.i2) 
= (A i :: wlp.B.i2) 
= wlp.£.iE 

If Ai =grd B for all t, then 

grd.(u i :: Ai) 
= -^wp.(u 2 :: At).FALSE 
— (V t :: wp. false) 
= -< (V t :: ^grd.Ai) 
= -n(v z :: -igrd.J5) 
= grd.B 

This completes the proof of Lemma E. | 
Proof of Theorem 1. Inspection of the wlp-equations for the five operators 

D - ; [|1 V 

shows that these operators respect =wip- Theorem 1 therefore follows from 
Theorem 3 and Lemma E. | 
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Proof of Theorem 2. Simple calculations, which will be left to the reader, 
show that 

wlp.(A;;B).i2 = wlp.>l.(wlp.J5.ii!) 
grd.(A;;fi) = grd.A 

Thus ;; respects =wip a.nd =grd? and therefore also respects Inspec- 
tion of the wlp and guard equations for the four operators 

D - III V 

shows that these operators respect =wip and =grd) and therefore also 

To prove that 0 respects assume that A =^ A' and B B\ and 
compute: 

wlp.(A05).ii! 
= wlp,^.i2 A (grd.yl V wlp.5.i2) 
= wlp.A'.J? A (grd.^' V w\p,B\R) 
~ w\p.{A'^B%R 

gTd.{A^B) 
= grd.A V grd.5 
= grd.A' V grd.5' 
= grd.(A'0fi') 

Theorem 2 therefore follows from Theorem 3 and Lemma E. | 

Notice that Q does not respect =wip in its first argument, and ; does not 
respect =grd in its first argument. Thus Theorem 3, which is our only tool 
for constructing fixpoints involving V, cannot accomodate 0 and ; simulta- 
neously. Thus any two of the three operators 0 ; V can be handled 
together, but not all three. 

8. Conclusions 

The formal treatment of dovetail is somewhat curious: a function / is proved 
to have a least fixpoint with respect to an order <, although / is not mono- 
tonic with respect to <. The proof is based on an order with respect to 
which the function does not have a lea^t fixpoint. 

It is obvious that proof techniques can be based on the given construc- 
tion. 

Dovetail could be of practical importance in studying classes of imple- 
mentations of loop-avoiding operators. For example, it could be used to 
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model loop-avoiding communication when merging several communcation 
lines. 
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